Read, Write, Execute… WordPress(MU too) owners, groups and permissions.
OK… so this is where I geek out.
As I play more and more with WordPress, particularly WordPressMU, I am trying to figure out how set file and folder permissions along with ownership so that the blogs are secure, yet you can do everything you need to be able to do… add themes, plug-ins, etc.
I have not been able to find anything online that clearly explains who needs to own what and what the correct permissions should be.
Recently however I attend a WordCamp in New York City and a session entitled, “Locking Down the Chastity Belt on WordPress Security” from Brad Williams (Twitter:@williamsba -
WebDevStudios.com) where all aspects of security was discussed.
In the sessions Brad said that files should be set so the owner had read/write privileges, the group should have read and other have read as well (644). That folders should have read/write/execute for the owner and then read/execute (755) for the group and other. You can move to read/write/execute for the group and then eventually to for other as well if you notice that you are getting errors, but that you will need to experiment with the setting.
Some of the other information from the session included a list of good security plug-ins that you can use. WP-Security Scan offers a good set of tools and also will look at you file/folder structure and check the permissions. It will list the “Needed Chmod” and then the “Current Chmod” (see table below- current chmod not included).
| Name | File/Dir | Needed Chmod |
| root directory | ../ | 755 |
| wp-includes/ | ../wp-includes | 755 |
| .htacess | ../.htaccess | 644 |
| wp-admin/index.php | index.php | 644 |
| wp-admin/js/ | js/ | 755 |
| wp-contents/themes/ | ../wp-contents/themes | 755 |
| wp-contents/plugins/ | ../wp-contents/plugins/ | 755 |
| wp-admin/ | ../wp-admin | 755 |
| wp-content/ | ../wp-content | 755 |
The other plug-ins mentioned were:
The other piece to this puzzle is the ownership of the files and folders. To this point I still haven’t really gotten a straight answer. The best I can tell is that the machine should be the owner in most cases, otherwise it is the “_www” user and that the groups should be one that include that user as well… but to be honest I can’t be sure here.
Whenever I am troubleshooting I first take whatever error code I am getting and Google it or throw it up on Twitter and see what people have to say. Then I’ll play with permissions and then as a last resort I will play with the owner and/or group settings.
If you can shed any light or share what you have found on this topic I am all ears!
No comments yet.